WordPress Plug-in Anti-Spam by CleanTalk is used on over 200,000 WordPress pages. Two critical security vulnerabilities were discovered that allow network attackers to completely compromise vulnerable instances without prior authentication.
Advertisement
IT security researchers at Wordfence have externally reported a security vulnerability that allows attackers to bypass authorization due to a reverse DNS spoofing vulnerability in Anti-Spam by CleanTalk. This allows unauthenticated attackers to install and activate arbitrary plugins on vulnerable WordPress instances and thus execute arbitrary code (CVE-2024-10542, CVSS). 9.8“risk”Serious“). Shortly afterwards, Wordfence analysts discovered a similar security vulnerability in a plug-in with similar effects (CVE-2024-10781, CVSS 9.8, Serious,
two similar weaknesses
Plug-ins can respond to remote requests (remote calls) and perform actions such as installing additional plug-ins. Checks the resolved IP address backwards using a plug-in function to check whether a call is legitimate strpos()Does “cleantalk.org” appear anywhere in the name. This means that the check can actually be done with a subdomain: cleantalk.org.boese.domain These plug-in functions are allowed to be called and executed.
The plugin authorizes the token after successfully comparing the hash value with the API key, a second security vulnerability Wordfence discusses. However, the plugin does not prevent code authorization if the API key is empty. If the API key has not been configured yet, attackers can authorize themselves by sending a token that matches an empty hash value and can also call a plug-in function, for example further plug-in install To do.
This completely affects anti-spam by CleanTalk prior to the revised version 6.45, which was released in mid-November. Version 6.44 only fixes the first of the two vulnerabilities, insufficient reverse DNS checking. Administrators using the CleanTalk plugin should check if they are using the latest version with bug fixes.
WordPress plug-ins frequently jeopardize the security of the instance. 200,000 threatened websites with an anti-spam plug-in is already a lot, but other plug-ins with security gaps also have 4,000,000 installations, such as the Really Simple Security plug-in, which had a significant bug about two weeks ago. The difference was discovered and became known. The security flaws in the WordPress plugin LiteSpeed Cache are even more widespread – it is used on approximately 6,000,000 WordPress instances.
(DMK)
